Guild Blogs

Finding

A quick way to scan a bunch of WordPress installs for the Docs virus. Not sure of the real name since I can't find a reference to it on the net.

dir /s /b *.php | find "docs.php"

A more thorough search is:

findstr /sim /c:"chr(base_convert(substr" *.php

This looks for the actual code that decodes the virus.

Either method could produce some false positives so apply some comment sense before deleting files.

Removing

Removing the virus consists of checking the first line in the function.php file for each theme and removing the junk after <?php

Then delete the Docs plugin.

You will need to do this with your site disabled as the plugin will reinfect the functions.php files and the functions.php extras will reinstall the plugin.

Analysis

I haven't spent too much time trying to figure out what it does exactly. However, this is what I do know.

The code added to the theme functions.php

First it checks to see if the wp-content/plugins/docs/docs.php file exists and if not it downloads a copy from http://lamulata.biz/cript_doc.php

Next if the docs.php file exists it checks to see if it is activated. If not it activates it.

docs.php

Registers a daily cron job which is used to update itself.

Uses the docs_wp_plugin_active_list_update action to hide itsoft from the plugin list.

Hooks the wp_head action which seems to send some data about the current request to http://178.132.204.58/index.php

Ultimately it seems to fetch some content from a remote site and includes it in the page content or completely replaces the content.

One of the side effects is that it looks for a writeable tmp directory and caches data there. I found over 25,000 files in one cache folder.

I recently had to remove a StealRat infection from a computer. Unfortunately most of the available information is out of date and only helped somewhat.

Once I found the actual file that was the issue I developed a better command to detect any other infections:

findstr /sim /c:"'](NULL)" *.php

devZing has released a new MantisBT control panel for managing those settings that are not exposed inside MantisBT giving you even more control over your install.

Read More

While researching a topic for my book I cam across the original paper that helped spawn the concept of Yesterday's Weather. That is the probability that amount of work you will do next week is highly likely to be the same as the amount of work you did last week.

Abstract

In this study, the authors used 111 time series to examine the accuracy of various forecasting methods, particularly time-series methods. The study shows, at least for time series, why some methods achieve greater accuracy than others for different types of data. The authors offer some explanation of the seemingly conflicting conclusions of past empirical research on the accuracy of forecasting. One novel contribution of the paper is the development of regression equations expressing accuracy as a function of factors such as randomness, seasonality, trend-cycle and the number of data points describing the series. Surprisingly, the study shows that for these 111 series simpler methods perform well in comparison to the more complex and statistically sophisticated ARMA models.

Accuracy of Forecasting: An Empirical Investigation, Spyros Makridakis, Michele Hibon and Claus Moser, Journal of the Royal Statistical Society. Series A (General), Vol. 142, No. 2 (1979), pp. 97-145.

Announcement

MantisBT Hosting by devZing

devZing has a good post on how to delete bugs in Bugzilla.

All Bugzilla instances have been updated to 3.4.6. You can read about all the changes here or just the differences below.

• When doing a search that involves "not equals" or "does not contain the string" or similar "negative" search types, the search description that appears at the top of the resulting bug list will indicate that the search was of that type. (Bug 474738)
• In Internet Explorer, users couldn't easily mark a RESOLVED DUPLICATE bug as REOPENED, due to a JavaScript error. (Bug 546719)
• If you use a "bookmarkable template" to pre-fill forms on the bug-filing page, and you have custom fields that are only supposed to appear (or only supposed to have certain values) based on the values of other fields, those custom fields will now work properly. (Bug 538211)
• If you have a custom field that's only supposed to appear when a bug's resolution is FIXED, it will now behave properly on the bug-editing form when a user sets the bug's status to RESOLVED. (Bug 520993)
• If you are logged-out and using request.cgi, the Requester and Requestee fields no longer respect the usermatching parameter--they always require full usernames. (Bug 533018)
• If you tried to do a search with too many terms (resulting in a URL that was longer than about 7000 characters), Apache would return a 500 error instead of your search results. (Bug 513989)
• Bugzilla would sometimes lose fields from your sort order when you added new fields to your sort order. (Bug 470214)
• The Atom format of search results would sometimes be missing the Reporter or Assignee field for some bugs. (Bug 537834)

No Hassle Open Source Project Management Hosting

MantisBT 1.2.0 is finally out. We'll be starting the upgrade evaluation process shortly. In the meantime you can still get an instant activation trial to MantisBT 1.1.8.

No Hassle Open Source Project Management Hosting

The next revision of our open source project management hosting service is now live - devZing.com

try bugzilla »	try mantisbt »

All Bugzilla instances have been updated to 3.4.5 in order to resolve a security issue announced yesterday.